Insights
Publications

Twists in the Plot: California AG Releases Final CCPA Regulations

August 27, 2020 Blog

With a little time to consider the finalized California Consumer Privacy Act regulations released by the California Attorney General on August 14, 2020, it is clear that some last-minute negotiations (or perhaps just some thoughtful additional analysis) took place that led to some unexpected changes. The lion’s share of the regulation requirements have been discussed in depth, so let’s just focus on the following noteworthy changes:

  • Language for Do Not Sell Link. Prior versions enabled companies selling personal information to include a link reading “Do Not Sell My Info,” but that language is no longer acceptable and must instead read “Do Not Sell My Personal Information” as called for in the statute. (Section 999.305(b)(3))
  • Agent Verification. While requests to know and delete from an authorized agent of the data subject continue to require significant validation, where the authorized agent is merely making an opt-out request, a signed permission is sufficient verification. (Section 999.315(f))
  • Financial Incentive. The definition for “financial incentive” no longer includes payments/etc. in connection with the “retention” of personal information. Thus, in line with the statute, the requirements concerning financial incentives will not be broadened beyond those offered in connection with the “collection, deletion, or sale” of personal information. (Section 999.301(j))
  • Offline Notice. The final regulations removed the requirement that a privacy notice be provided where the business interacts with consumers offline to collect information (e.g., through an in-store, handwritten e-mail sign-up list). Businesses will instead be able to provide the notice solely on the website. If the business does not have a website, though, it would of course need to provide the notice in connection with the collection of personal data. (Section 999.306(b))
  • Opt-Out Method. The AG had provided that the method of opt-out be “easy for consumers to execute” and “require minimal steps.” While an overly-complicated opt-out procedure will likely still be found to be noncompliant, the removal of this vague language will avoid some additional uncertainty. (Section 999.315)

These changes together signal the Attorney General’s acceptance that some of the steps it had previously taken to broaden the reach of the CCPA went too far, or that clarification was necessary. The enforcement of the regulations, which has begun, will need to play out before we can understand them fully. But one thing we do know is that the regulations will be short-lived and will require significant overhaul if the California Privacy Rights Act of 2020 ballot initiative passes in November and becomes law in 2023. Stay tuned.

Firm Highlights

Publication

California AI Proposal Rethinks Consumer Scope and Recordkeeping

The California Privacy Protection Agency will revisit its  draft  regulations for automated decision-making technology on March 8, including use of artificial intelligence to process personal information. Comment periods should be coming soon in 2024...

Read More
Publication

Thomson Reuters v. Ross Intelligence: AI Copyright Law and Fair Use on Trial

On Sept. 25, 2023, Judge Stephanos Bibas (sitting by designation in the District of Delaware), determined that fact questions surrounding issues of fair use and tortious interference required a jury to decide media conglomerate...

Read More
Publication

Nonprofits’ Use of Artificial Intelligence Systems: Intellectual Property and Data Privacy Concerns

In today's rapidly changing technological landscape, artificial intelligence (AI) is making headlines and being discussed constantly. To be sure, AI provides a powerful tool to nonprofits in creating content and exploiting for countless cost-effective...

Read More
Publication

Major Decision Affects Law of Scraping and Online Data Collection, Meta Platforms v. Bright Data

On January 23, 2024, the court in Meta Platforms Inc. v. Bright Data Ltd. , Case No. 3:23-cv-00077-EMC (N.D. Cal.), issued a summary judgment ruling with potentially wide-ranging ramifications for the law of scraping and...

Read More
Publication

Court Reinstates CPPA Enforcement Authority and Confirms No Delay Necessary for Enforcement of Future CCPA Regulations

A recent appellate decision has made clear that the regulations promulgated under California’s groundbreaking consumer privacy law, the California Consumer Privacy Act (CCPA, as amended by the California Privacy Rights Act (CPRA)), are ripe...

Read More
Publication

BIPA Liability: Existing CGL Coverage May Provide a Lifeline for Policyholders

Developments in the law have increased the potential liability that companies could face under the Illinois Biometric Information Privacy Act (BIPA), but fortunately for policyholders, Illinois case law has also solidified coverage for BIPA...

Read More
News

Scraping Battles: Meta Loses Legal Effort to Halt Harvesting of Personal Profiles

Alex Reese spoke to Matt Fleischer-Black of  Cybersecurity Law Report about the Meta v. Bright Data decision and its impact on U.S. scraping case law. Read the article here (paywall or trial).

Read More
Publication

California Proposes New AI & Automated Decision-Making Technology Regulations

The California Privacy Protection Agency (CPPA) released its draft  regulatory framework for automated decision-making technology (ADMT) on November 27. These regulations are a preview of what new requirements may look like for companies currently...

Read More
Publication

It Wasn’t Me, It Was the AI: Intellectual Property and Data Privacy Concerns With Nonprofits’ Use of Artificial Intelligence Systems

In today's rapidly changing technological landscape, artificial intelligence (AI) is making headlines and being discussed constantly. To be sure, AI provides a powerful tool to nonprofits in creating content and exploiting for countless cost-effective...

Read More
Publication

California Appeals Court Empowers Privacy Agency to Immediately Enforce CCPA Regulations

In  California Privacy Protection Agency et al. v. The Superior Court of Sacramento County  (case number C099130), the Third Appellate District of the California Court of Appeal returned authority to the California Privacy Protection...

Read More